AW: media type review requested for application/auth-policy+xml

Hi Mark, thanks for the quick response. Please find some comments inline:
Hi,
On 4/13/06, Tschofenig, Hannes <hannes.tschofenig@siemens.com> wrote:
- security section should also reference sec 10 of RFC 3023.
Why do you think so? I read through Section 10 of RFC 3023 and I don't think that the aspects there are applicable for our usage environment.
The aspects of security described in that section are quite generic, so I'd be surprised if that were the case. Just as one example, do you rule out the use of external entities with auth-policy+xml? If not, then that section is relevant as it describes some potential security problems with their use.
FWIW, I think any +xml type should reference it as a matter of course.
We have external entities updating and receiving the authorization policies. However, we capture this issue already in the security consideration section in the Common Policy draft. The additional issues listed in RFC 3023 regarding * validation, * system level command execution * CSS style sheets, XSL transformations, * xmldsig usage * change the display processor environment Still, I can, if you want, make a reference to RFC 3023 if you think that this is, in general, a good idea.
- I'd recommend picking a file extension specific to this media type, as many Web servers come pre-configured to serve .xml files as application/xml, or even an RSS media type. I don't care about the file extension. Can you suggest something reasonable?
How about "apxml"? I checked "apx", but it's been used before;
http://filext.com/detaillist.php?extdetail=apx&Search=Search
For me this sounds good. Still, I sent a mail to the Geopriv ML. Ciao Hannes
Cheers,
Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca

On 4/13/06, Tschofenig, Hannes <hannes.tschofenig@siemens.com> wrote:
Still, I can, if you want, make a reference to [sec 10 of] RFC 3023 if you think that this is, in general, a good idea.
I think that would be best, yes.
How about "apxml"? I checked "apx", but it's been used before;
http://filext.com/detaillist.php?extdetail=apx&Search=Search For me this sounds good. Still, I sent a mail to the Geopriv ML.
Great! Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca
participants (2)
-
Mark Baker
-
Tschofenig, Hannes